|Title:||Security and privacy in mobile environments||Language:||English||Authors:||Merzdovnik, Georg||Qualification level:||Doctoral||Keywords:||Security; Privacy; Network Security; Mobile Operating Systems; Android; TLS; Certificate Pinning||Advisor:||Weippl, Edgar R.||Issue Date:||2017||Number of Pages:||141||Qualification level:||Doctoral||Abstract:||
The number of smartphones is constantly increasing and they have become a central part of our lives. A big role for their success is the large number of available applications. While these applications open up a lot of opportunities for their users, they can also pose risks. With the amount of available applications, it is inevitable that they also include bad quality software. While these applications may not pose a direct risk to the device itself, many of them are communicating to some kind of back-end server on the internet. Furthermore, "free" applications often include some kind of advertisement, which needs to be loaded from a server again. We analyze the existing ecosystem of third party tracking in web and mobile applications and evaluate defenses according to their effectiveness in blocking tracking efforts. We show that there is still a lot of information transmitted in clear text, without the use of Transport Layer Security. In addition, even when TLS is used, this tracking information can still be used by attackers for certain kind of attacks. Based on our findings, we propose different approaches to protect user privacy and security. Specifically, we explore notary-based validation schemes for certificate validation and provide a longitudinal study of certificate validation capabilities of available notary services. Mobile apps already employ certificate pinning to prevent interception attacks. However, the application still needs to be updated when the corresponding certificate changes. We therefore provide an on-device certificate pinning solution, which utilizes notary services to update pinned certificates automatically and transparently for the user. Finally, we evaluate existing Android malware analysis platforms and provide metrics on the effectiveness and inter-dependencies of these services. This allows security analysts to select the best fitting system or subset of systems to accomplish their analysis task.
|Library ID:||AC13773886||Organisation:||E188 - Institut für Softwaretechnik und Interaktive Systeme||Publication Type:||Thesis
|Appears in Collections:||Thesis|
Show full item record
Files in this item:
checked on Feb 21, 2021
checked on Feb 21, 2021
Items in reposiTUm are protected by copyright, with all rights reserved, unless otherwise indicated.